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DETAILED ACTION 

1 . This is in response to the amendments filed on February 20 th , 2008. Claims 1-7 have 
been amended; Claim 20 has been added; Claims 1-20 are pending and have been considered 
below. 

Claim Rejections - 35 USC § 101 

2. The amendments filed on February 20 th , 2008 have been considered and are effective at 
overcoming the previous rejections. Therefore, the rejections to Claims 1-7 have been 
withdrawn. 

Claim Rejections - 35 USC § 102 

3. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

4. Claims 1-19 are rejected under 35 U.S.C. 102(e) as being anticipated by Wong et al. 
(6,578,037). 

Claims 1 and 8: Wong et al. discloses a method and computer-readable medium or propagated 
signal having embodied thereon a computer program configured to determine whether a user is 
permitted to access a business object when executing a software application of an enterprise 
information technology system, the medium or signal comprising one or more code segments 
configured to: 
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a. use a permission objectfz'e. policy group attribute) to determine whether a user 
associated with an entry in user information is permitted to access a data object associated with a 
data object typefz'e. objects 218 and 224) [figure 2]; 

b. wherein the entry in the user information associates the user with a user affiliation, the 
permission object identifies: 

i. a user affiliationfz'e. which policy group user is associated to) to which the 
permission object applies [column 6, lines 3-9]; 
ii. a data object typefz'e. type of database record) to which the permission object applies such 
that the data object type is associated with multiple attributes (7e. salary range, job categories, 
etc.) and each data object having the data object type is associated with the multiple attributes 
[column 6, lines 29-39]; 

iii. a permission attribute (ie. salary range, job categories, etc.) identifying one of 
the multiple attributes [column 6, lines 29-39]; 

iv. and a permission valuefz'e. employee 's salary, employee 's job category, etc.) 
for the permission attribute [column 6, lines 29-39]; 

c. and the user is permitted to access the data object when: 

i. the user affiliation that is associated with the user is the same user affiliation as 
the user affiliation to which the permission object appliesf/e. users affiliated with the 
"Human Resources of Company A" policy group may access employee records of 
employees earning salaries below a threshold) [column 6, lines 29-39]; 
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ii. the data object typefze. only Company A 's records) of the data object is the 
same data object type as the data object type to which the permission object applies 
[column 6, lines 29-39]; 

iii. and a value(7e. recorded salary of employee 's record is within the range of 
accessible salaries) of an attribute of the multiple attributes associated with the data 
object is consistent with the permission value of the permission attribute and the attribute 
corresponds to the permission attribute [column 6, lines 29-39]. 

Claim 13: Wong et al. discloses a computer system for determining whether a user is permitted 
to access a data object when executing a software application of an enterprise information 
technology system, the system comprising: 

a. a data repository (ie. database system 100) for access control information for software 
having data objects, each data object [figure 1]: 

i. being associated with a data object typefz'e. only Company A 's records) having 
multiple attributes (ie. salary ranges, job categories, etc.) [column 6, lines 29-39]; 

ii. having multiple attributes(7e. salary range, job categories, etc.) that are the 
same as the multiple attributes of the data object type to which the data object is 
associated [column 6, lines 29-39]; 

iii. and having a value associatedfz'e. employee 's salary, employee 's job category, 
etc.) with each attribute of the multiple attributes [column 6, lines 29-39]; 

b. the data repository including: 

i. user information^, context attribute values) that associates a user affiliation 
with a user of the software application [column 7, lines 46-48]; 
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ii. and permission informationfze. Company A HR policy group) having multiple 
permission objectsf/e. policies), each permission object identifying a user affiliation^'^. 
only users from Company A 's HR department) to which the permission object applies, a 
data object typef/e. only Company A 's employee records) to which the permission object 
applies, a permission attribute^, salary range) identifying one of the multiple attributes, 
and a permission valuefze. employee 's salary) for the permission attribute [column 6, 
lines 29-39]; 

c. and an executable software module that causes: 

i. a comparison of a value of an attribute of the multiple attributes associated with 
a data object to which a user seeks to access such that the attribute corresponds to the 
permission attribute of a permission object with the permission value of the permission 
objectfz'e. conditions that restrict results returned by a query, thereby restricting access to 
data) [column 5, lines 49-50]; 

ii. and an indication that a user is permitted to access a data object when the value 
of the attribute associated with the data object is consistent with the permission value of 
the permission objectfz'e. the function checks context value attributes that identify the user 
to determine whether the users is associated with company A) [column 7, lines 41-45]. 

Claims 2, 9 and 14: Wong et al. discloses a medium or signal, method and system of claims 1, 8 
and 13 and further discloses that the one or more code segments are further configured to permit 
the user to access the data object when the value of the attribute of one of the multiple attributes 
associated with the data object is the same as the permission value of the permission attribute^. 
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permit users in HR of Company A to access employee records of employees earning salaries 
below a threshold) [column 6, lines 29-39]. 

Claims 3, 10 and 15: Wong et al. discloses a medium or signal, method and system of claims 1, 
8 and 13 and further discloses that the one or more code segments are further configured to 
permit the user to access the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is the within a range specified(7e. range of salaries 
below a threshold) by the permission value of the permission attribute [column 6, lines 29-39]. 
Claims 4, 11 and 16: Wong et al. discloses a medium or signal, method and system of claims 1, 
8 and 13 and further discloses that the one or more code segments are further configured to 
permit the user to access the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is one of enumerated valuesfz'e. one of the particular job 
catergories) specified by the permission value of the permission attribute [column 6, lines 29- 
39]. 

Claims 5, 12 and 17: Wong et al. discloses a medium or signal, method and system of claims 1, 
8 and 13 and further discloses that: 

a. the permission object identifies an attribute group policy groups) having one or 
more attributes of the multiple attributes associated with the data object type(?e. default policy 
groups 150, 160 and 170) [figure 1]; 

b. and the one or more code segments are further configured to permit the user to access 
an attribute of the data object only when the attribute of the data object corresponds to an 
attribute of the attribute group of the permission objectfz'e. permit users in HR of Company A to 
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access employee records of employees earning salaries below a threshold) [column 6, lines 29- 
39]. 

Claims 6 and 18: Wong et al. discloses a medium or signal and system of claims 5 and 17 and 
further discloses that: 

a. the permission object identifies a second attribute groupie, plurality of policy groups 
and individual policies under each policy group) having one or more attributes of the multiple 
attributes associated with the data object type(7e. default policy groups 150, 160 and 1 70) [figure 

i]; 

b. a second permission attribute^, particular job categories) identifying one of the 
multiple attributes [column 6, lines 29-39]; 

c. and a second permission valuefze. employee 's job category on record) for the second 
permission attribute, associates the second permission attribute and the second permission value 
with the second attribute group, and associates the permission attribute and permission value 
with the attribute group [column 6, lines 29-39]; 

d. and the one or more code segments are further configured to permit the user to access 
an attribute of the data object only when the attribute of the data object corresponds to an 
attribute of the second attribute group of the permission object and a value of an attribute of one 
of the multiple attributes associated with the data object is consistent with the second permission 
value of the second permission attribute (ie. permit users in HR of Company B to access 
employee records of employees who belong to a particular job category) [column 6, lines 29-39]. 
Claims 7 and 19: Wong et al. discloses a medium or signal and system of claims 1 and 13 and 
further discloses that the permission object identifies a permitted actionize, access rule of 
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particular context attribute value allows users associated with company A to change policy 
group attributes), and the one or more code segments are further configured to permit the user to 
access the data object and perform an action on the data object when the action is consistent with 
the permitted action identified in the permission object^'e. the function checks context value 
attributes that identify the user to determine whether the user is associate with company A, and 
whether the new value belongs to the particular set of values) [column 7, lines 30-45]. 



Claim Rejections - 35 USC §103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over Wong et al. 
(6,578,037) in view of Kraenzel (6,513,039). 

Claim 20: Wong et al. discloses a medium of claim 1 and further discloses that the permission 
object identifies a permitted actionize, access rule of particular context attribute value allows 
users associated with company A to change policy group attributes), and the one or more code 
segments are further configured to permit the user to access the data object and perform an action 
on the data object when the action is consistent with the permitted action identified in the 
permission object(7e\ the function checks context value attributes that identify the user to 
determine whether the user is associate with company A, and whether the new value belongs to 
the particular set of values) [column 7, lines 30-45], but does not explicitly disclose that the 



Application/Control Number: 10/720,447 Page 9 

Art Unit: 2135 

actions are database operations wherein the database operations comprise of: create, read, update 
and delete. 

However, Kraenzel discloses a similar invention and further discloses various database 
access operations such as read-only, edit or the like [column 1, lines 12-26]. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the invention disclosed by Wong et al. with the additional features of 
Kraenzel, in order to prevent access to sensitive objects such as those containing confidential 
information, as suggested by Kraenzel . 

Response to Arguments 

7. Applicant's arguments filed February 20 th , 2008 have been fully considered but they are 
not persuasive. 

8. Regarding Claims 1, 8 and 13: The Applicant argues that the Wong et al. reference 
does not disclose a permission object having a permission attribute identifying one of the 
multiple attributes associated with the data object type, and a permission value for the permission 
attribute as required by the instant claims. Furthermore, the Applicant argues that the Wong et 
al. reference does not disclose using a permission object to determine whether a user is permitted 
to access a data object associated with a data object type, where the permission object identifies 
(1) a user affiliation to which the permission object applies, (2) a data object type to which the 
permission object applies such that the data object type is associated with multiple attributes and 
each data object having the data object type is associated with the multiple attributes, (3) a 
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permission attribute identifying one of the multiple attributes associated with the data object 
type, and (4) a permission value for the permission attribute, as recited by the instant claims. 

However, the Examiner respectfully disagrees and submits that Wong et al. does in fact 
appear to disclose these features. The so called "set of rules" disclosed by Wong et al. are used 
to determine whether or not a user has access to a particular database object by analyzing a 
multitude of parameters such as but not limited to: a user's affiliated group, the particular 
database object or object type being accessed and even the particular attributes of the database 
object being accessed. Thus, based on what is claimed in the claim language, the Examiner 
respectfully submits that the "set of rules" disclosed by Wong et al. appear to be functionally 
equivalent to the claimed "permission object" which is also used to determine whether or not a 
user has access to a particular data object. 

Conclusion 

9. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The 
examiner can normally be reached on Monday through Thursday 9:00AM-5 :00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

EZ 

May 20, 2008 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



